(5.5) Backport teleport fix for trusted clusters regression

[r0mant]

Description

Revendor Teleport fix (gravitational/teleport#3726) that fixes a regression with trusted clusters back from January (gravitational/teleport#3252). This was fixed in later versions but never backported to 5.5

The gist of the issue is that after connecting a leaf cluster to a root cluster, the leaf cluster would attempt to look up the role a user has in the root cluster (i.e. from the certificate) instead of using role mapping.

Type of change

• Regression fix (non-breaking change which fixes a regression)

Linked tickets and other PRs

• Refs Leaf cluster authentication regression in role mapping  teleport#3252.
• Requires (3.0-g) Fix role mapping for trusted clusters teleport#3726.

TODOs

• Self-review the change
• Perform manual testing
• Address review feedback

Testing done

Setup

Role in the hub:

kind: role
version: v3
metadata:
  name: viewer
spec:
  allow:
    kubernetes_groups:
    - view
    logins:
    - guest


Trusted cluster role mapping:

  role_map:
  - remote: "viewer"
    local: ["@teleadmin", "admin"]

Before

➜  bin ./tele login --hub=hub.gravitational.io:32009 testcluster --token=viewer-token
Hub:		hub.gravitational.io
Username:	viewer
Cluster:	testcluster
Expires:	Never
➜  bin ./tsh ls
error: role "viewer" is not found

After

➜  bin ./tsh ls
Node Name                  Address             Labels
-------------------------- ------------------- ---------------------------------------------------------------
192_168_99_103.testcluster 192.168.99.103:3022 advertise-ip=192.168.99.103, app-role=node
                                               display-role=Gravity Auto Node, fqdn=192_168_99_103.testcluster
                                               gravitational.io/k8s-role=master, hostname=node-2
                                               instance-type=, role=node